Messaging Gateway

 View Only

  • 1.  Someone wants to enforce TLS to us AND use wildcard cert

    Posted Sep 15, 2010 05:53 PM

    Hello.

     

    We have a remote party who would like to enforce TLS for all mail from us to them and vice versa.

    They have a wildcard cert. And when they enforce TLS from their side, our Brightmail is rejecting their connections.

     

    Is this normal?

     

    Thanks!



  • 2.  RE: Someone wants to enforce TLS to us AND use wildcard cert

    Posted Sep 16, 2010 09:38 AM

    So the remote party is requiring TLS on outbound connections to YOUR MTA.   Do you have a publicly signed certificate assigned to your Scanner?  (e.g. signed by VeriSign?)

    Per help for scanner setup:

    Accept TLS encryption:  Indicates whether to accept TLS-encrypted connections. You must configure an MTA TLS certificate and assign it to this Scanner before you can accept TLS encryption.

    If you send me your domain (via private message) I'll use the openSSL tool on my scanner to validate your setup.

     

    If you have a 2nd scanner you can try it yourself:

    enable support account

    login as support

    issue the command

           openssl s_client -connect <IP address>:25 -crlf -CAfile /usr/share/ssl/certs/ca-bundle.crt -starttls smtp

           ...where <IP address>is the IP address of the appliance with TLS encryption to be tested.



  • 3.  RE: Someone wants to enforce TLS to us AND use wildcard cert

    Posted Sep 16, 2010 05:52 PM

    Just verified - no problem.



  • 4.  RE: Someone wants to enforce TLS to us AND use wildcard cert

    Posted Sep 16, 2010 05:55 PM

    Hi Cricket17. Thank you for checking. We don't have any problems accepting TLS connections from anyone else. Just this company, and they happen to use a wildcard certificate on their mail servers.

    Also we enforce TLS to Them, and everything works fine; mail gets delivered from us to them just fine.

    We have four scanners, all have an valid commercial certs.
     
    I will try openssl from one of our scanners to another to make sure.


  • 5.  RE: Someone wants to enforce TLS to us AND use wildcard cert

    Posted Sep 17, 2010 09:12 AM

    Testing from my end, with SBG set for use TLS & Verify certificate shows an issue.  Perhaps your sender is doing the same then.  SBG requires that the MTA hostname matches that of the certificate.  It appears that your MX hostname, and that of your actual SBG box differ and that the Cert is issued for your host's PRIVATE name.  So while OpenSSL test shows a valid trust chain,  SBG rejects the hostname diference.

    I think the fix for this is to make sure your MTA hostname matches the cert hostname, or that the cert Sub Alt names include any aliases.

    You should have a talk with Symantec to confirm.



  • 6.  RE: Someone wants to enforce TLS to us AND use wildcard cert

    Posted Sep 17, 2010 02:48 PM

    Hmmm... on our end, we set up TLS to their domain to only present the cert and Not verify...

    Thanks for checking. I will dig in this direction now.

    Although I am pretty sure that our MTA name and the machine's physical names match.

    (I once changed the MTA name to something else and THEN I was not able to send out any TLS-encypted mail)



  • 7.  RE: Someone wants to enforce TLS to us AND use wildcard cert

    Posted Sep 17, 2010 04:50 PM

    It is my understanding that SBG when deliverying outbound using TLS requires that the hostname from the MX record it used to connect to the recipient MTA, must match one of the names in the remote TLS certificate - either the common name, or one of the alternate subject names.

    I'm having this issue connecting outbound to a 3rd party.